Monday, July 24, 2006

WebSEAL: Secure only login page

login redirects is a new feature in Tivoli Access Manager V5.1 . With this new function, all users are can be to the same configured URL after successful authentication. In order to implement secure login pages followed by secure and unsecure pages, the following steps have to be followed:

Install and configure Tivoli Access Manager for e-business with atleast one WebSEAL Server.

Define an ACL that requires authenticated access for the chosen secured resources. Remember that an ACL that is not attached to protected resources has no impact.

acl create secure-access-for-all

acl modify secure-access-for-all set any-other rTl

acl modify secure-access-for-all set unauthenticatedl

Attach the ACL to the resources requiring authentication. The failure of an unauthenticated request when attempting to access this page will initiate the WebSEAL authentication processing. The precise objects the ACL will be attached to will depends upon the configuration of the environment, namely which host the WebSEAL server is on, and which instance is being used.

acl attach /WebSEAL//portal/myportal secure-access-for-all

Configure WebSEAL for forms-based authentication over HTTPS protocol by setting the forms-auth parameter to https in the [forms] stanza of the WebSEAL instance's configuration file, that is

/etc/webseald-.conf

Note that this indirectly prevents login over HTTP.

Configure WebSEAL to share the same user session across HTTP and HTTPS protocols. This change is made in the same configuration file as in the preceding step, by setting the value of the use-same-session parameter of the [session] stanza to true.

Configure WebSEAL to automatically redirect to the secure portal page over HTTP. This change is made in the same configuration file as in the preceding step, by setting the value of the login-redirect parameter of the [acnt-mgt] stanza to http://:/portal/myportal. Note that this resource must be accessible to all users, and so it is recommended that the secure-access-for-all ACL described in the first step of this procedure be attached to this resource.

Configure WebSEAL to allow for automatic redirects when using the forms authentication method. This change is made in the same configuration file as in the preceding step, by setting the value of the redirect parameter of the [enable-redirects] stanza to forms-auth.

Customize the WebSEAL error page for Forbidden (HTTP status code 403) to detect if the user has made the request over HTTP, and automatically redirect to HTTPS to login. Add the code fragment from listing 1 at the top of the file

/www-/lib/errors//38cf0427.html.

Restart the WebSEAL instance. On a machine with multiple instances, ensure that the correct instance is restarted.